I am a new user of mikrotik routers, I try to use it as a home router with WLAN.
The integration of different networks works well, the Internet connection is available.
Unfortunately, I can not connect to the Internet, there is a fundamental error in my configuration. Can someone help me find the mistake? If possible with an explanation, so that I can understand it. Thank you in advance...
Here is my configuration:
Code: Select all
# may/12/2019 12:48:11 by RouterOS 6.44.2
# software id = XXXX-XXXX
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-full,1000M-full mtu=1598
set [ find default-name=sfp1 ] advertise=1000M-full mtu=1598
/interface vlan
add interface=sfp1 mtu=1560 name=vlan7 vlan-id=7
add interface=bridge name=vlan10 use-service-tag=yes vlan-id=10
add interface=bridge name=vlan20 use-service-tag=yes vlan-id=20
add interface=bridge name=vlan30 use-service-tag=yes vlan-id=30
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan7 max-mru=1500 max-mtu=\
1500 name=pppoe-out1 password=12345678 service-name=Telekom user=\
123456781234567812345678@t-online.de
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
supplicant-identity=MikroTik wpa-pre-shared-key=XxXxXxX \
wpa2-pre-shared-key=XxXxXxX
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=profile10 supplicant-identity="" \
wpa2-pre-shared-key=XxXxXxX
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=profile20 supplicant-identity="" \
wpa2-pre-shared-key=XxXxXxX
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=profile30 supplicant-identity="" \
wpa2-pre-shared-key=XxXxXxX
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=\
20/40mhz-XX country=germany disabled=no distance=indoors frequency=auto \
frequency-mode=regulatory-domain mode=ap-bridge name=comp_net_2 \
security-profile=profile10 ssid=CompNET vlan-id=10 vlan-mode=\
use-service-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac \
channel-width=20/40/80mhz-XXXX country=germany disabled=no distance=\
indoors frequency=auto frequency-mode=regulatory-domain mode=ap-bridge \
name=comp_net_5 security-profile=profile10 ssid=CompNET vlan-id=10 \
vlan-mode=use-service-tag wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=66:D1:54:4F:23:3F \
master-interface=comp_net_2 multicast-buffering=disabled name=home_net_2 \
security-profile=profile30 ssid=HomeNET vlan-id=30 vlan-mode=\
use-service-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=66:D1:54:4F:23:3D \
master-interface=comp_net_5 multicast-buffering=disabled name=home_net_5 \
security-profile=profile30 ssid=HomeNET vlan-id=30 vlan-mode=\
use-service-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=66:D1:54:4F:23:3E \
master-interface=comp_net_2 multicast-buffering=disabled name=spy_net_2 \
security-profile=profile20 ssid=SpyNET vlan-id=20 vlan-mode=\
use-service-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=66:D1:54:4F:23:40 \
master-interface=comp_net_5 multicast-buffering=disabled name=spy_net_5 \
security-profile=profile20 ssid=SpyNET vlan-id=20 vlan-mode=\
use-service-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp10 ranges=192.168.10.5-192.168.10.254
add name=dhcp20 ranges=192.168.20.5-192.168.20.254
add name=dhcp30 ranges=192.168.30.5-192.168.30.254
add name=pool100 ranges=192.168.100.1-192.168.100.254
/ip dhcp-server
add address-pool=dhcp10 disabled=no interface=vlan10 name=server10
add address-pool=dhcp20 disabled=no interface=vlan20 name=server20
add address-pool=dhcp30 disabled=no interface=vlan30 name=server30
add address-pool=pool100 disabled=no interface=bridge name=server100
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=sfp1
add bridge=bridge interface=comp_net_2
add bridge=bridge interface=comp_net_5
add bridge=bridge interface=spy_net_2
add bridge=bridge interface=spy_net_5
add bridge=bridge interface=home_net_2
add bridge=bridge interface=home_net_5
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=vlan10,comp_net_2,comp_net_5 untagged=bridge \
vlan-ids=10
add bridge=bridge tagged=vlan20,spy_net_2,spy_net_5 untagged=bridge vlan-ids=\
20
add bridge=bridge tagged=vlan30,home_net_2,home_net_5 untagged=bridge \
vlan-ids=30
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.100.1/24 interface=bridge network=192.168.100.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.10.5 comment="Desk" mac-address=XX:XX:XX:XX:XX:XX \
server=server10
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.250 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.10.250 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.10.250 gateway=192.168.30.1
add address=192.168.100.0/24 dns-server=192.168.10.250 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=10.0.0.0/8 list=bogons
add address=100.64.0.0/10 list=bogons
add address=127.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=172.16.0.0/12 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=192.168.0.0/16 list=bogons
add address=198.18.0.0/15 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=240.0.0.0/4 list=bogons
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop bogons<-WAN" in-interface=vlan7 \
src-address-list=bogons
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=\
192.168.10.0/24
add action=drop chain=forward dst-address=192.168.10.0/24 src-address=\
192.168.20.0/24
add action=drop chain=forward dst-address=192.168.30.0/24 src-address=\
192.168.10.0/24
add action=drop chain=forward dst-address=192.168.10.0/24 src-address=\
192.168.30.0/24
add action=drop chain=forward dst-address=192.168.30.0/24 src-address=\
192.168.20.0/24
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=\
192.168.30.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ip ssh
set allow-none-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system leds
set 0 interface=pppoe-out1 type=interface-transmit
set 1 interface=spy_net_5 type=interface-transmit
set 2 type=interface-transmit
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org,time.google.com
/tool graphing interface
add allow-address=192.168.0.0/16
/tool graphing queue
add allow-address=192.168.0.0/16
/tool graphing resource
add allow-address=192.168.0.0/16
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN